Seal/unseal mechanisms, Authorization

Author: satiracode

build.gradle

@@ -1,6 +1,6 @@
 plugins {
-    id 'org.jetbrains.kotlin.jvm' version "2.0.21"
-    id "org.jetbrains.kotlin.plugin.allopen" version "2.0.21"
+    id 'org.jetbrains.kotlin.jvm' version "2.1.20"
+    id "org.jetbrains.kotlin.plugin.allopen" version "2.1.20"
     id 'io.quarkus'
 }
 
@@ -31,23 +31,30 @@ dependencies {
     implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8'
     implementation 'io.quarkus:quarkus-arc'
     implementation 'org.mapdb:mapdb:3.1.0'
+    implementation 'com.github.ben-manes.caffeine:caffeine:3.2.0'
 
     implementation 'io.projectreactor:reactor-core:3.7.5'
     implementation 'io.smallrye.reactive:mutiny-reactor:2.8.0'
 
     implementation 'com.fasterxml.jackson.module:jackson-module-kotlin:2.18.3'
 
-    implementation 'org.exploit.threshield:gg20:0.0.5'
-    implementation 'org.exploit.threshield:frost:0.0.5'
-    implementation 'org.exploit.threshield:ed25519:0.0.5'
-    implementation 'org.exploit.threshield:core:0.0.5'
+    implementation 'org.exploit.threshield:gg20:0.0.6'
+    implementation 'org.exploit.threshield:frost:0.0.6'
+    implementation 'org.exploit.threshield:ed25519:0.0.6'
+    implementation 'org.exploit.threshield:core:0.0.6'
+
+    implementation 'com.nimbusds:nimbus-jose-jwt:10.2'
 
     implementation 'org.exploit:jettyx:0.1.6'
     implementation 'org.exploit:jettyx-jackson:0.1.6'
     implementation 'org.exploit:jettyx-http2:0.1.6'
 
     implementation 'org.exploit:signalix:0.1.3'
 
+    implementation 'software.amazon.awssdk:kms:2.31.33'
+    implementation 'com.google.cloud:google-cloud-kms:2.63.0'
+    implementation 'com.oracle.oci.sdk:oci-java-sdk-keymanagement:3.63.3'
+
     testImplementation 'io.quarkus:quarkus-junit5'
 }
 

gradle.properties

@@ -2,7 +2,7 @@
 
 # Gradle properties
 quarkusPluginId=io.quarkus
-quarkusPluginVersion=3.21.3
+quarkusPluginVersion=3.22.2
 quarkusPlatformGroupId=io.quarkus.platform
 quarkusPlatformArtifactId=quarkus-bom
-quarkusPlatformVersion=3.21.3
+quarkusPlatformVersion=3.22.2

src/main/kotlin/org/exploit/keeper/adapter/AuthAdapter.kt

@@ -0,0 +1,25 @@
+package org.exploit.keeper.adapter
+
+import jakarta.enterprise.inject.Produces
+import jakarta.inject.Singleton
+import org.exploit.keeper.service.auth.NoOpMachineAuthenticator
+import org.exploit.keeper.service.auth.RequestAuthenticator
+import org.exploit.keeper.service.auth.factory.MachineAuthenticatorFactory
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+
+@Singleton
+class AuthAdapter(private val factory: MachineAuthenticatorFactory) {
+    @Produces
+    @Singleton
+    fun authenticator(): RequestAuthenticator =
+        factory.createAuthenticator().also {
+            if (it is NoOpMachineAuthenticator) {
+                LOGGER.warn("Authorization is not configured. Endpoints will be accessible without authentication.")
+            }
+        }
+
+    private companion object {
+        val LOGGER: Logger = LoggerFactory.getLogger(AuthAdapter::class.java)
+    }
+}

src/main/kotlin/org/exploit/keeper/adapter/JettyxAdapter.kt

@@ -30,7 +30,6 @@ class JettyxAdapter(
         .executor(Executors.newWorkStealingPool(config.parallelism()))
         .build()
 
-
     @Produces
     @Singleton
     fun authenticator(): KeeperAuthenticator {

src/main/kotlin/org/exploit/keeper/adapter/LMKDBAdapter.kt

@@ -5,16 +5,18 @@ import jakarta.enterprise.inject.Produces
 import jakarta.inject.Singleton
 import org.exploit.keeper.config.KeeperConfig
 import org.exploit.keeper.db.LMKDB
+import org.exploit.keeper.service.seal.provider.SealProvider
 
 @Startup
 @Singleton
-class LMKDBAdapter(private val config: KeeperConfig) {
-
+class LMKDBAdapter(
+    private val config: KeeperConfig,
+    private val provider: SealProvider
+) {
     @Produces
     @Singleton
     @Startup
     fun lmkdb(): LMKDB {
-        val password = System.console().readPassword("Enter master-password: ")
-        return LMKDB(config.databasePath(), password)
+        return LMKDB(config.databasePath()) { provider.keyOpsOrThrow() }
     }
 }

src/main/kotlin/org/exploit/keeper/adapter/SealAdapter.kt

@@ -0,0 +1,14 @@
+package org.exploit.keeper.adapter
+
+import jakarta.enterprise.inject.Produces
+import jakarta.inject.Singleton
+import org.exploit.keeper.service.seal.provider.SealProvider
+import org.exploit.keeper.service.seal.provider.factory.SealProviderFactory
+
+@Singleton
+class SealAdapter(private val factory: SealProviderFactory) {
+    @Produces
+    @Singleton
+    fun sealProvider(): SealProvider =
+        factory.createProvider()
+}

src/main/kotlin/org/exploit/keeper/api/FrostApi.kt

@@ -5,9 +5,8 @@ import org.exploit.jettyx.annotation.Body
 import org.exploit.jettyx.annotation.HttpRequest
 import org.exploit.jettyx.annotation.Query
 import org.exploit.keeper.model.common.InitSession
-import org.exploit.keeper.model.common.Value
-import org.exploit.keeper.model.frost.FrostCommitmentDto
-import java.math.BigInteger
+import org.exploit.keeper.model.frost.ComputedZ
+import org.exploit.keeper.model.frost.FrostOperationCommitment
 import java.util.concurrent.CompletableFuture
 
 interface FrostApi {
@@ -17,7 +16,7 @@ interface FrostApi {
     @HttpRequest(method = HttpMethod.POST, path = "/v1/frost/commitment")
     fun storeCommitment(
         @Query("sessionId") sessionId: String,
-        @Body body: FrostCommitmentDto
+        @Body body: FrostOperationCommitment
     ): CompletableFuture<Void>
 
     @HttpRequest(method = HttpMethod.POST, path = "/v1/frost/commitment/broadcast")
@@ -28,7 +27,7 @@ interface FrostApi {
     @HttpRequest(method = HttpMethod.GET, path = "/v1/frost/signature/z")
     fun computeZ(
         @Query("sessionId") sessionId: String
-    ): CompletableFuture<Value<BigInteger>>
+    ): CompletableFuture<ComputedZ>
 
     @HttpRequest(method = HttpMethod.GET, path = "/v1/frost/abort")
     fun abort(

src/main/kotlin/org/exploit/keeper/component/exception/BitKeeperExceptionMapper.kt

@@ -0,0 +1,16 @@
+package org.exploit.keeper.component.exception
+
+import jakarta.ws.rs.core.Response
+import jakarta.ws.rs.ext.ExceptionMapper
+import jakarta.ws.rs.ext.Provider
+import org.exploit.keeper.exception.BitKeeperException
+import org.exploit.keeper.model.ErrorMessage
+
+@Provider
+class BitKeeperExceptionMapper: ExceptionMapper<BitKeeperException> {
+    override fun toResponse(p0: BitKeeperException): Response? {
+        return Response.status(p0.code)
+            .entity(ErrorMessage(p0.message ?: "Unknown error"))
+            .build()
+    }
+}

src/main/kotlin/org/exploit/keeper/component/listener/SessionListener.kt

@@ -8,8 +8,8 @@ import org.exploit.keeper.extension.toMono
 import org.exploit.keeper.model.event.SessionCleanEvent
 import org.exploit.keeper.model.event.SessionFailedEvent
 import org.exploit.keeper.service.client.BitKeeperClients
-import org.exploit.keeper.service.frost.FrostSessionFactory
-import org.exploit.keeper.service.gg20.GG20SessionFactory
+import org.exploit.keeper.service.signature.frost.FrostSessionFactory
+import org.exploit.keeper.service.signature.gg20.GG20SessionFactory
 import org.exploit.signalix.annotations.EventHandler
 import org.exploit.signalix.manager.EventScope
 import org.exploit.signalix.marker.Listener
@@ -49,7 +49,7 @@ class SessionListener(
 
     private fun collectParticipants(sessionId: String, type: SessionType): List<Int> =
         when (type) {
-            SessionType.GG20 -> gg20.session(sessionId).context().crypto().participants()
+            SessionType.GG20 -> gg20.session(sessionId).client.context().crypto().participants()
             SessionType.FROST -> frost.session(sessionId).client.context().crypto().participants()
         }
 

src/main/kotlin/org/exploit/keeper/config/AuthConfig.kt

@@ -0,0 +1,16 @@
+package org.exploit.keeper.config
+
+import io.smallrye.config.ConfigMapping
+import io.smallrye.config.WithDefault
+import org.exploit.keeper.config.auth.JwtAuthConfig
+import java.util.*
+
+@ConfigMapping(prefix = "keeper.auth")
+interface AuthConfig {
+    fun type(): String
+
+    @WithDefault("false")
+    fun allowAnonymous(): Boolean
+
+    fun jwt(): Optional<JwtAuthConfig>
+}